110 



POLICY MANAGER SERVER112 



CPU 
118 




ROM 
120 




RAM 
122 
















130 



NON- 
VOLATILE 
MEMORY 
124 




DISPLAY 
128 




CLIENT SERVER 116n 



CPU 
132 




ROM 
134 




RAM 
136 
















144 



NON- 
VOLATILE 
MEMORY 
138 



INPUT 
DEVICE 
140 



DISPLAY 
142 



FIG. 1A 



POLICY MANAGER SERVER 



NON-VOLATILE MEMORY 124 



POLICY MANAGER 210 



MANAGEMENT STATION 
212 



DISTRIBUTOR 
214 



LOGGER 

m 



DBMS 
218 



AUDIT LOG 
220 



OPTIMIZED POLICY 

222 



ENTERPRISE POLICY 
224 



ADMINISTRATIVE POLICY 
226 



LOCAL ADMINISTRATIVE 
POLICY 228 



FIG. 2 



NON-VOLATILE MEMORY 124 



MANAGEMENT STATION OR 
BUSINESS LOGIC CONSOLE (CBLC) 212 

I 







POLICY MANAGER (BLM) 
210 


POLICY CHANGE 

TRACKING TABLE 233 










LOGGER 216 




DBMS 
218 










AUDIT LOG 

m 




OPTIMIZED POLICY 222 










ENTERPRISE 
POLICY 224 




ADMINISTRATIVE 
POLICY 226 










LOCAL ADMINISTRATIVE 
POLICY 228 




POLICY CHANGE 
TRACKING 230 










POLICY CHANGE 
REVERSING 232 




POLICY ANALYSIS 
234 









POLICY DISTRIBUTOR 

214 



u TO NETWORK 114 

FIG. 2A 



CLIENT SERVER 



NON-VOLATILE MEMORY 138 



APPLICATION GUARD 310 




APPLICATION 
312 








AUTHORIZATION LIBRARY 
314 








AUTHORIZATION ENGINE 
316 








LOCAL CLIENT POLICY 
318 







FIG. 3 



CLIENT SERVER 



NON-VOLATILE MEMORY 138 



APPLICATION GUARD 310 (BLE) 



AUTHORIZATION LIBRARY 

m 



AUTHORIZATION ENGINE 
316 



LOCAL CLIENT POLICY 
318 



LOCAL POLICY ANALYSIS 
319 



REPOSITORY API 
330 



LOCATION API 
331 



QUERY API 
332 



APPLICATION(S) 
312 



FIG. 3A 



POLICY MANAGER 



MANAGEMENT STATION 

m 



214 



GUI 410 



MANAGEMENT SERVICES 412 



NAVIGATION 
414 



EDIT 
420 



QUERY 
422 



COMMUNICATION 
INTERFACE 
434 



SEARCH 
416 

APPLICATION 

GUARD 
^ 



DISTRIBUTION 
418 



LOGVEWEI^ 



PARSER/TYPE CHECKER 428 



DELAYER 430 



ODBC 432 



POLICY CHANGE 
TRACKING 434 



POLICY CHANGE 
REVERSING 436 



POLICY 
ANALYSIS 438 



LOCAL 
ADMINISTRATIVE! 
POLICY 
228 




/ / AUDIT/ 
I LOG 
220 \ 



OPTIMIZED / / ENTERPRISE j 
POLICY POLICY 
222 II 224 



ADMINISTRATIVE/ 
POLICY 
226 




MESSAGE PROCESSING 
456 


COMMUNICATION 
INTERFACE 
452 


ODBC 
454 


i 






CLIENT AUDIT LOG 
450 





OPTIMIZER 
436 


DIFFER 
438 


COMMUNICATION 
INTERFACE 
442 


ODBC 
440 




FIG. 4 



APPLICATiON GUARD 



310 



APPLICATIONS 



APPLICATION GUARD 
INTERFACE §12 



AUTHORIZATION LIBRARY 314 



AUTHORIZATION ENGINE 316 


PLUG-INS 
522 


PARSER^TYPE 
CHECKER 514 


EVALUATOR 


AUDIT 
518 


COMMUNICATION INTERFACE 520 



LOCAL 
CLIENT POLICY 
318 



SERVER 
DISTRIBUTOR 214 



SERVER 
LOGGER 216 



FIG. 5 




PLUG-IN API 
606 



CLIENT ACCESS AUTHORIZATION 
START ) 



CONSTRUCT AND ISSUE 
AUTHORIZATION REQUEST 
710 



EVALUATE AUTHORIZATION 
REQUEST 
Z12 



RECORD REQUEST 
IN AUDIT LOG 
Z14 



DENY ACCESS 
718 



ALLOW ACCESS 
722 



DENY ACCESS 




724 















( END } 



FIG. 7 




DOMAIN SERVICE FACTORY 
CLASS 804 


1 

1...*, 


CREATE 

r 


DOMAIN SERVICE OBJECT 
806 


1 

1...*, 


CREATE 


M 


CREDENTIALS MGR 
OBJECTS 808 


1 

0...% 


CREATE 

r 



CREDENTIALS 
OBJECTS 
810 



807 

APPLICATION NAME(S) 



HAS 
METHODS 
► 



812 

-ACCESS ALLOWED 0 
-BULK ACCESS ALLOWED {] 
-QUERY PRIVILEGE ( ) 
-QUERY OBJECTS 0 



FIG. 8 



DISTRIBUTE POLICY 



( START } 



OPTIMIZE POLICY 
(DISTRIBUTOR) 
910 



COMPUTE DIFFERENCES 
(DISTRIBUTOR) 
912 



PUBLISH POLICY 
(DISTRIBUTOR) 

914 



COMMIT POLICY 
(DISTRIBUTOR) 
916 



RECEIVE POLICY 
(APPLICATION GUARD) 
918 



MERGE NEW POLICY 
(APPLICATON GUARD) 



ACTIVATE POLICY 
(APPLICATION GUARD) 



( END ) 



FIG. 9 



I ♦L 



V, 



(i.3) 



c, 



V — ► • • • v - 

-J 



^(i.n+1) 



%2) 



■"(1.3) 



'n-1 

A 



^(i.n-1) 



•^(i.n)=D(i) 



FIG. 10 



( START ^ 



MAKE n SEQUENCE OF INCREMENTAL 
CHANGES TO A CURRENTLY 
ENFORCED POLICY VERSION 
1204 



KEEP TRACK OF THE INCREMENTAL 
CHANGES 
1206 



GENERATE AN ACCUMULATED 
DELTA 
1208 



TRANSMIT THE ACCUMULATED 
DELTA 
1210 



UPDATE THE CURRENTLY ENFORCED 
POLICY VERSION BASED ON THE 
ACCUMULATED DELTA 
1212 



END ^ 



FIG.12 



( START ) 



ENTER A RECONSTRUCTION 
REQUEST 
1304 



GENERATE A COMBINED REVERSING 
CHANGE D (REVERSING) 
1306 



SEND THE COMBINED REVERSING 
CHANGE D (REVERSING) TO POLICY 
DISTRIBUTOR 
1308 



TRANSMIT THE COMBINED REVERSING 
CHANGE D (REVERSING) 
1310 



RECONSTRUCT A PREVIOUSLY 
ENFORCED POLICY VERSION BASED 
ON THE COMBINED REVERSING 
CHANGE D (REVERSING) 
1312 





( END ) 



FIG.13 



GRANT (EXECUTE, TRADE) 



JUNIOR TRADER 
1404 






i 




SENIOR TRADER 
1406 






i 




TRADER MANAGER 
1408 







MARY 
BOB 

SUSAN 

TOM 

TIM 



JOHN DOE 



FIG. 14 



GLOBAL 




FIG. 15 



START 




ENTER A QUERY AT BLC AND 

FORWARD REQUEST TO 
POLICY MANAGER SERVER 
1604 



INTERPRET THE QUERY AND 
PROCESS THE QUERY AT 
POLICY MANAGER SERVER 
1608 



BLC RECEIVES AND DISPLAYS 
QUERY RESULTS 
1610 




END 



FIG. 16 



START 




ENTER A QUERY IN APPLICATION AND 
FORWARD REQUEST TO CLIENT 
SERVER (BLE) VIABLE API 
1704 



INTERPRET THE QUERY AND 
PROCESS THE QUERY AT 
CLIENT SERVER 
1706 



APPLICATION RECEIVES AND USE 
QUERY RESULTS 
1708 




FIG. 17 



